Can you Tango with a Megamos?
The best way to immobilise a car? |
Now, the detailed review to which this Kat alludes is not a subtle reference to anything emanating from the Court of Appeal, which is never short of a word or two when it comes to IP litigation. Rather, it takes the form of a paper grandly entitled "Megamos Crypto, Responsible Disclosure, and the Chilling Effect of Volkswagen Aktiengesellschaft vs Garcia, et al", authored by another Katfriend -- Robert Carolina (a UK/US technology lawyer), who has teamed up with Professor Kenny Paterson (a University of London mathematician, cryptographer, and security researcher) for the purpose of crafting the circa 7,600 words that you can count, or read, by clicking here.
Safe from theft: distinctive markings deter all but the most hardened criminals |
In addition to shedding light onto the fascinating (if little understood) field of cryptographic research, Carolina and Paterson provide six detailed criticisms of the decision.
* there is an inherent problem in attributing value to a secret crypto algorithm. The science of cryptography normally assumes that an attacker can discover the algorithm, and that an algorithm that is so widely distributed in consumer products will not likely remain secret forever. The court even appears to accept that the algorithm had been successfully reverse engineered by others.
* the decision does not provide a searching analysis of the risk created by publishing. It is not sufficient to say that publication would lower security. A risk analysis should attempt to explain how far that security has been lowered. Even if the immobiliser can be defeated, there is no discussion of how difficult that might be and what other actions might be necessary to steal a car. Even though balancing an infringement of free speech, there is nothing of substance on this issue in the decision.
* why was the court so willing to conclude that Tango Programmer was created using misappropriated – not reverse-engineered – information? The court draws a major inference from evidence that the manufacturer is aware that its product is sometime misused for criminal purposes. This conflates two issues: (i) how the manufacturer created Tango Programmer and (ii) how Tango Programmer is (sometimes) used. The court does not acknowledge that legitimate security products can (and do) find their way into the hands of criminals as well as legitimate locksmiths.
* the wrong legal standard may have been applied in making its preliminary assessment of the academics' responsibility. The court concluded that Tango Programmer was made using a misappropriated trade secret and that the academics "ought to have appreciated that". The recent UK Supreme Court decision in Vestergaard Frandsen A/S et al v Bestnet Europe Ltd et al, [2013] UKSC 31 [noted by the IPKat here] suggests that a higher standard should apply to this question – that the academics can be found liable only if they had actual knowledge or so-called "blind eye knowledge" of misappropriation. The latter requires a finding of "dishonesty" – not a finding that they merely "ought to have known".
* the court does not demonstrate a clear understanding of the phrase "responsible disclosure" as a term of art in security research. This misunderstanding is especially unfortunate, as the court is not shy in using this phrase to criticise the researchers.
* why did it take so long for the owners of this allegedly confidential information to enforce their rights? The court accepts that the Tango Programmer software has embodied the crypto algorithm since 2009, and suggests that the device is used (at least sometimes) by criminals. The product's website offers the device for sale throughout the EU, including a sales channel in the UK. The decision does not report on any past efforts to enforce trade secret rights in the UK or elsewhere against the manufacturer, importers, or sales agents.
Carolina and Paterson worry that this decision will have a chilling effect on security research in the UK: it could jeopardise the ability of UK academics to form multinational research efforts since collaboration partners outside the UK might not wish to face the risk of a High Court injunction (in this case, for example, two of the three researchers appear to reside in the Netherlands. Only one appears to be employed by an English university).
Although they are critical of the decision, Carolina and Paterson conclude with an expression of sympathy for the court. "Judges, no matter how able, cannot be experts in all subjects. … it is the responsibility of others to explain … technology under review. Perhaps for no reason other than the compressed timetable leading up to the hearing and decision, it appears to us that this process of explaining complex technical facts and practices from an otherwise abstruse specialist field has somehow broken down".
The IPKat notes the authors' sympathy for the court as well as for the researchers, but reserves the main part of his sympathy for the owners of the cars which may, it seems, be only temporarily immobilised. If the algorithm is published, the cat (as it were) will be let out of the bag; if the algorithm isn't published, every crook on the planet with cryptographic skills has been alerted to the promise of success if he's clever or lucky enough. Presumably motor insurance companies have been busily re-calibrating their premiums too. This in turn leads him to speculate as to the circumstances in which a vulnerable third party, such as the owner of an expensive car, might succeed in an application to be joined in proceedings such as this. He doesn't think there's much chance, but wonders if readers have any better ideas.
Do litigants and code-crackers buy the same aspirational empowerment posters? |
Megamos here and here
Megamoth here
Megamouth here and here
Mega moth here